It's not just your TV that can track your habits without consent
What companies do with your data depends on how 'personal information' is defined
If you want to know what products and services are tracking you without your consent, their privacy policies are a good place to start.
Own a PlayStation? Sony can share "non-personally identifying information and behavioural data from our studies with our affiliates and other third parties."
Belkin — which makes a line of smart light switches and power plugs under the WeMo brand — may also share "aggregated and anonymized non-personal information" about how you use its products with third parties.
- Vizio TVs secretly tracked viewership in U.S. without consent
- Canada Revenue Agency monitoring Facebook, Twitter posts of some Canadians
Similarly, "service providers, business partners and other trusted affiliates" might know how often you turn your smart light bulb on or off if you own a Philips Hue.
But privacy policies only tell part of the story.
"I think what I'm frequently shocked by is how advanced the technology capabilities are to do these things," says Fatemeh Khatibloo, an analyst at Forrester Research who specializes in consumer privacy. "I'm rarely surprised by what people will do. I'm surprised by what they can do."
Vizio TV owners in the U.S. found this out the hard way last week. The company was forced to pay the U.S. Federal Trade Commission $2.2 million U.S. for tracking the viewing habits of TV owners without their consent — then combining that data with information such as sex, age, income and marital status and selling it to third parties.
They say, "We never share personally identifiable information," [but] they're still selling a lot of identifying info.- Fatemeh Khatibloo, a Forrester Research analyst specializing in privacy
To pull it off, Vizio recorded some of the pixels displayed on consumers' TVs, and matched them with a database of TV shows, movies and ads (the company said that tracking was not enabled in Canada).
Though an extreme example, the Vizio case is part of a larger trend. A new generation of smart, always-on, internet-connected devices is redefining how companies collect and share user data — both the types of data collected and who that data is shared with.
And despite vague assurances that many types of data are only shared in anonymous, aggregate form — or better yet, with your consent — it's rarely clear what's happening behind the scenes.
Defining personal data
Much of what we know about what companies do with our data depends on what's considered personal information — typically, the threshold for whether data can be shared without your explicit consent.
"That's the loophole," says Pam Dixon, executive director of the World Privacy Forum, a non-profit research group. She says the definition of "personally identifiable" is typically up to the company.
"Typically when you read a privacy policy and they've carved out exclusions and they say we never share personally identifiable information, they're still selling a lot of identifying info," says Khatibloo.
For example, August, which manufactures an internet-connected keyless lock system for your house or apartment, does not share or sell its users' personal information without consent. But sharing "aggregate and non-personally-identifying information for industry analysis, demographic profiling, marketing and advertising" is fair game.
Similarly, the activity tracking company Fitbit says that de-identified data will be used for marketing, or "for sale to interested audiences." Fitbit defines "personally identifiable information" as "name, email or address, or data that could reasonably be linked back to you."
And Vizio — which, remember, just got slapped with a $2.2-million fine — says it, too, never paired the viewing data it sold "with personally identifiable information such as name or contact information," yet was fined for its aggregate collection practices all the same.
Getting personal
The root of the problem is that companies and consumers — and in Vizio's case, the FTC — don't always see eye to eye on what information is personal.
"My name is fundamentally less valuable to advertisers and marketers than all of my device browsing behaviour being combined into one place," says Khatibloo. "That tells people so much more about who I am than my name does."
The same goes for television viewing habits, how often you use your light bulbs, or your smart lock's record of the people entering and exiting your house.
One particular concern is that such information, when combined with other aggregate or anonymous sources of information, can be used to re-identify and target specific users — a practice explicitly forbidden by many companies who share or sell such data, but exactly what happened in the Vizio case.
"The company provided consumers' IP addresses to data aggregators, who then matched the address with an individual consumer or household," wrote Lesley Fair, a senior attorney with the FTC's Bureau of Consumer Protection. And while Vizio "prohibited the re-identification of consumers and households by name," it still allowed consumers to be targeted by "sex, age, income, marital status, household size, education, and home ownership."
As a result, the FTC is requiring Vizio to be more explicit about its practices, detail them separately from its privacy policy, and be up front in its efforts to obtain consent — a good precedent for other companies, Dixon says. But as the number of connected products and services continues to rise, it's only going to get more challenging to keep up.
"I think the most important example of data sharing that we're going to encounter in our everyday lives going forward is our cars, and our medical devices," she says (think driving data and health history).
"The key thing is, if you can tie that information back to a profile, like an individual or a single household, then it's identifiable. End of discussion."